Hacking a Video Poker Machine

Kevin Poulsen has written an interesting story about two people who successfully exploited a bug in a popular video poker machine.

Posted on October 17, 2014 at 6:35 AM • 14 Comments

Comments

AnuraOctober 17, 2014 12:44 PM

I wonder what kind of legal issues there are for the makers of gaming machines. If there is a flaw, are they liable for the casino losses?

439ux309303jOctober 19, 2014 10:04 PM

Most video poker machines are FIPS compliant with any diagnostic interfaces behind locked and trigger-sensor'ed enclosures. There are no intranet or WAN interfaces and house-variables and firmware updates are done through those ports.

Outside of glitching(electrodes and motorcycle solenoids) and these logic bugs and backdoors(this includes RNG weaknesses). They are literally physically impossible to compromise.

DanielOctober 20, 2014 12:23 AM

It's easy to blame the player's greed for the downfall of the scheme but what happens psychologically is that after a certain amount of time the ease of the exploit makes it no longer feel like greed--it simply is the way things work. When one becomes conditioned to easy money it's no longer easy money but a right.

(Hint, hint, NSA).

hoodathunkitOctober 20, 2014 6:28 AM

"message of this story is that you are not allowed to win at La Vegas"

That has always been true. Gambling is legally 'entertainment', but even a person winning (by fantastic odds) can be prosecuted or barred. Been that way forever, and casino losses are owed since 'casino loss' is —of and by itself— illegal. It's true that many casinos take the loss for public relations' sake and merely bar the person, but they can prosecute. Here's another example of being charged for 'causing ... a large financial loss'

This case is only troubling in that the prosecution was for 'pressing certain keys' to make something in a computer work a certain (probably not intended) way. It is exactly the same as pressing Ctrl-Alt-Ins (pretend you missed the Delete key) and finding out it changed Win8 into Server2012; it was taking advantage of a software bug.

Luckily the federal computer prosecution crashed because gaming statutes prosecution would have been a slam-dunk.

The story, like Vegas, is another depressing tale of two people like many others horribly addicted to gambling. But for that obsession they could have kept jobs like normal folks and made money —instead of losing thousands— on the side from occasionally playing the machines and leveraging the software glitch. It is sad.

paulOctober 20, 2014 8:44 AM

Think of it as an implicit EULA: "You are not authorized to access this machine in a way that results in winning consistently."

Which in a way is good for the general gambling public as well -- if it were OK to win by skill, fleecing the rubes would be even easier.

Software testing is goodOctober 20, 2014 12:16 PM

John Kane was allowed to keep his Nevada winnings, but Andre Nestor wasn't allowed to keep his Pennsylvania winnings. Two different states, two different sets of laws. It was the state district attorney who seized Nestor's money, so I supposed that Nestor would have to sue the state.

If these two guys hadn't been greedy about milking all they could from that bug, this could have gone on for years.

As for the ramifications of what happened, I'm guessing that the software license from Game King is the standard, "no liabilities." "Our software was written by rabid, epileptic monkeys strung out on drugs, and has NO WARRANTY or guarantee of fitness for any purpose." Thus, Game King isn't responsible for the casino's loss of income.

I suppose something like this could also be equivalent to a design problem in a slot or pachinko machine, where a specific vibration pattern would cause the machine to signal a jackpot. If someone finds that vibration pattern and exploits it, are they stealing?

Casinos don't like to lose, and they will throw out people who "win too much." I've read about the card counting groups, and they had to be careful to not tip off the casino security.

Milo M.October 20, 2014 1:54 PM

This story features one of Bruce's favorites, social engineering. So low tech, yet so effective.

From the Pennsylvania indictment:

http://www.pgcb.state.pa.us/files/communications/20091007_Washington_County_DA_PR.pdf

"Nestor, who posed as a 'high roller,' frequented the casino and represented himself as a legitimate player, gaining casino employee trust by giving sizable tips and being courteous to staff. He often recounted stories of his successful winnings in Las Vegas and on more than one occasion called himself a 'professional gambler.' The Casino considered Nestor a high roller based on his deception, the substantial amount of wagers played and jackpots claimed.

Nestor's ruse required the participation of other conspirators. Chiefly involved with the group was Kerry Laverde. Laverde, believed a longtime companion of Nestor, is a former police officer with the Swissvale Borough Police in Allegheny County. Laverde posed as security for the seemingly wealthy Nestor and wore a policeman's badge when dressed in plainclothes."

It helps to have naive employees.

"Shortly after arrival, Nestor inquired about the slot machine's 'Double Up' feature to slot technician Daniel Joseph Downing, a Meadows Racetrack and Casino employee. Specifically, Nestor asked Downing to activate the machine's 'Double Up' feature, as it was deactivated at the time. Downing
indicated to Nestor that he would check the machine's settings to determine if he was able to activate this feature. Nestor expressed to Downing that he would often have slot technicians change this option on slot machines in Las Vegas, Nevada. Downing then accessed the slot machine's programming through the video menus located on the device's monitor. Upon accessing the device's programming menu, Downing was unable to locate the 'Double Up' feature in question. Nestor then offered to show Downing the location of the feature on the machine's programming menu. Downing refused Nestor direct contact with the machine, but allowed Nestor to guide him through the menu screens. Downing then located the appropriate game specific menu which enabled the 'Double Up' feature and activated it, per Nestor's request."

http://triblive.com/aande/gambling/5354565-74/nestor-poker-machine#axzz3GiDG9XTk

"Sullivan says the Meadows was 'made whole' and recovered all of the almost $480,000 he said Nestor got from the casino's machines. More than 600 local charges against Nestor were dropped in 2011."


Tony H.October 20, 2014 3:16 PM

So the Nevada Gaming Control Board has the source code for every game ever approved for use in that state. A very good idea, certainly. Of course no one would dream of demanding that the source for bank ATMs and voting machines be kept on file by government authorities...

Say - I wonder if the NSA has a handy repository of that stuff.

Fred POctober 20, 2014 3:23 PM

I was in the Video Lottery Terminal (gaming machines run by governments, as opposed to private entities) business for over 5 years ending about 12 years ago.

We had a situation that was extremely similar to the one described in this article (you could increase the bet in an unexpected way at a time during which doing so would increase your average payout above 100%). The main difference between our situation and that described in the article was that we found the defect internally (after it had already been released in the field), and we had no evidence that anyone had taken advantage of it before we had the game shut down until it was fixed.

@Anura - While I can think of times when our company apparently paid for inaccurate payouts, I was not involved enough in those discussions to relate if those were legal requirements, contractual requirements, or simply keeping our customers happy (the total payouts I was aware of constituted less than 0.1% of our income from those contracts in our worst year).

Fred POctober 20, 2014 3:44 PM

@439ux309303j

In the industry I worked in (VLT), all the machines were on one or more local network - this was for monetary reporting, progressive jackpots, and to check that the code running was the same as the archived code. In some cases, this was attached to a larger-area network.

The security of those machines was pretty good, but I'm moderately confident that when I was working on those machines, I could have hacked our own machines with a large enough conspiracy (1 tech, 1 auditor, 1 operator, myself, and multiple outsiders would have worked). Getting away with enough money to make it worthwhile would have been more effort; I'm not clear it was feasible from a financial point of view.

Also, while I did not explore it, our machines (like most) were internally networks of computers often by various companies with various levels of (in)security - some of the interfaces were known to be vulnerable (I hope they've been addressed by now), and others may have been vulnerable. I think that with a slightly smaller conspiracy (and more effort on my part), we could have attacked some of the interfaces enough to affect the odds in our favor.

Finally, some of the external interfaces were wide open to some attack vectors. Again, I hope these issues have been addressed.

I have no reason to believe that any other insider with comparible access couldn't do the same thing with their company's machines - and in some cases, with their competitor's.

Shawn SmithOctober 20, 2014 5:30 PM

Just a couple minor nits to pick:

"Game King" is the name of the platform. The manufacturer is IGT, soon to be GTech. Kind of like the difference between Monopoly and Parker Brothers/Hasbro.

The Nevada Gaming Control Board has the complete source code of all games submitted for approval, not just approved, as some of the submissions do not get approved.

Nevada regulations also require that, for electronic gaming machines, the selection process used to determine a winner "... must not produce detectable patterns of game elements or detectable dependency upon any previous game outcome, the amount wagered, or upon the style or method of play." (Regulation 14.040.2(c)).

My sense (but not in any way legal opinion) is that IGT could be held responsible for not complying with said regulation and partly the Gaming Control Board for approving a non-compliant game for use by the public, if someone really wanted to make an issue of this.

AlexNovember 10, 2014 11:47 AM

Interesting that the bug effectively increases their Kelly edge (it doesn't change losses to wins, it lets you target your bankroll on wins)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.